From c9d477242ceaa85ce70c42272ee44e99b386c01d Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Wed, 4 Jan 2017 10:00:49 +0100 Subject: [PATCH] [cff] More consistency checks for pure CFFs. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=378 * src/cff/cffload.c (cff_font_load): Check element number and size of Name and Top DICT indices. --- ChangeLog | 11 +++++++++++ src/cff/cffload.c | 19 +++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/ChangeLog b/ChangeLog index 413949cb9..1a475456a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2017-01-04 Werner Lemberg + + [cff] More consistency checks for pure CFFs. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=378 + + * src/cff/cffload.c (cff_font_load): Check element number and size + of Name and Top DICT indices. + 2017-01-04 Werner Lemberg [cff, truetype] Minor tracing improvement. diff --git a/src/cff/cffload.c b/src/cff/cffload.c index cb1c0b580..52922f48d 100644 --- a/src/cff/cffload.c +++ b/src/cff/cffload.c @@ -2199,6 +2199,16 @@ goto Exit; } + /* font names must not be empty */ + if ( font->name_index.data_size < font->name_index.count ) + { + /* for pure CFFs, we still haven't checked enough bytes */ + /* to be sure that it is a CFF at all */ + error = pure_cff ? FT_THROW( Unknown_File_Format ) + : FT_THROW( Invalid_File_Format ); + goto Exit; + } + if ( FT_SET_ERROR( cff_index_init( &font->font_dict_index, stream, 0, cff2 ) ) || FT_SET_ERROR( cff_index_init( &string_index, @@ -2210,6 +2220,15 @@ &font->string_pool, &font->string_pool_size ) ) ) goto Exit; + + /* there must be a Top DICT index entry for each name index entry */ + if ( font->name_index.count > font->font_dict_index.count ) + { + FT_ERROR(( "cff_font_load:" + " not enough entries in Top DICT index\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Exit; + } } font->num_strings = string_index.count;